Subject: Re: Addition to force open to open only regular files
To: Bill Studenmund <email@example.com>
From: Greywolf <firstname.lastname@example.org>
Date: 11/28/2000 15:01:12
On Tue, 28 Nov 2000, Bill Studenmund wrote:
# Vnode locks should NEVER be held when a system call returns to userland.
# If you do that, you open up a huge Denial of Service attack:
D'oh! You're right, of course!
# reserve(pathname, other options); for (;;;) stat(pathname, &a buffer);
# You've just panic'd the computer. This (the lossage resulting from leaving
# a vnode locked) is called, "the race for root."
Okay, is there a reason that getfh() shouldn't be mortal-enabled? It
already does path checking for accessibility; and since a stat() on a
non-readable file is ok, fhstat shouldn't be a problem, either.
And finally, why not make fhopen() respect the permissions on the given
I.e. why are these calls restricted to the super-user? They'd be great
for providing against race conditions which might occur in the mortal
I must be missing something.
*BSD: The Power of Code.